From dev-return-28-archive-asf-public=cust-asf.ponee.io@dubbo.apache.org Fri Mar 2 04:24:24 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 72B7A18064D for ; Fri, 2 Mar 2018 04:24:23 +0100 (CET) Received: (qmail 43009 invoked by uid 500); 2 Mar 2018 03:24:22 -0000 Mailing-List: contact dev-help@dubbo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@dubbo.apache.org Delivered-To: mailing list dev@dubbo.apache.org Received: (qmail 42995 invoked by uid 99); 2 Mar 2018 03:24:22 -0000 Received: from mail-relay.apache.org (HELO mailrelay2-lw-us.apache.org) (207.244.88.137) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Mar 2018 03:24:22 +0000 Received: from mail-oi0-f42.google.com (mail-oi0-f42.google.com [209.85.218.42]) by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 6F372DB5 for ; Fri, 2 Mar 2018 03:24:21 +0000 (UTC) Received: by mail-oi0-f42.google.com with SMTP id u73so6161909oie.3 for ; Thu, 01 Mar 2018 19:24:21 -0800 (PST) X-Gm-Message-State: AElRT7EiUlzOY/nTR8SfIgk11WpRpHJWZRtUtsaIYZWBibq2mwhqypmH LPMZmPyElVjC+A2lOPLptbXIu7pIMnVudC0/iw== X-Google-Smtp-Source: AG47ELuR0yywq83FVt9djxeZVvaV//pu1YBc48rhR7QGxsPusIot1GhbgPGSrTqsQjcTGLp06udsZw+HevxMOdd3aIc= X-Received: by 10.202.98.193 with SMTP id w184mr2847369oib.286.1519961060442; Thu, 01 Mar 2018 19:24:20 -0800 (PST) MIME-Version: 1.0 Received: by 10.201.63.70 with HTTP; Thu, 1 Mar 2018 19:23:49 -0800 (PST) In-Reply-To: <13cfb711-a290-982e-24d8-bd6e3ef4d817@apache.org> References: <13cfb711-a290-982e-24d8-bd6e3ef4d817@apache.org> From: Huxing Zhang Date: Fri, 2 Mar 2018 11:23:49 +0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Private channel for reporting security issues To: dev@dubbo.apache.org Cc: Echo Wang Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Mark, Thanks for the information. In that case, I am +1 for security@dubbo.apache.org. Further question: if the venerability report is related to some project Dubbo depends on, what kind of action should Dubbo security team take? Should we accepted, update to the fixed version, and then announce it? On Thu, Mar 1, 2018 at 6:24 PM, Mark Thomas wrote: > On 01/03/18 02:59, Echo Wang wrote: >>> >>> 1) private@dubbo.apache.org >> >> >> +1 > > With my mentor hat on: > > No. > > All security vulnerability reports need to be visible to the ASF > security team and if they are reported directly to the private@ list > that doesn't happen. > > The podling needs to choose which of the following addresses it wishes > to publish for security reports and then make sure that the chosen > address is clearly signposted: > > 1. security@dubbo.apache.org > 2. security@apache.org > > If the podling chooses the first, the podling will need to request that > that list is set up by INFRA. All security@.apache.org lists > are automatically copied to the ASF security team. > > If the podling chooses security@a.o (the ASF wide security address), > that team will then forward reports to private@dubbo.apache.org > > Now is probably also a good time for the project community to review the > security vulnerability handling process: > > http://www.apache.org/security/committers.html > > Mark --=20 Best Regards=EF=BC=81 Huxing